The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said.
John Cartwright, one of the creators of the Full Disclosure list, posted a message on the list saying that he was suspending the list immediately because someone in the security community had asked that a large number of messages be removed from the list’s archive for an unspecified reason. Cartwright did not name the person who made the request, but said he was unwilling to take a “virtual hatchet to the list archives on the whim of an individual”.
When it began in 2002, Full Disclosure was an alternative to the Bugtraq list, which was moderated, something that annoyed some of the members. The new list was meant to be a more free-form discussion and it often included information on zero day vulnerabilities, along with exploit code, especially in the early days. Many software vendors were not too happy to have data on bugs in their products published on a mailing list, but in 2002, most of those vendors didn’t have established security response processes, bug-reporting guidelines or even email addresses to accept vulnerability advisories. Full Disclosure was a valuable source of information on vulnerabilities in all manner of software and hardware and many vendors over the years began posting their own advisories to the list.
The list had more than its share of trolls and troublemakers and it got the occasional legal threat from vendors. But Cartwright said he never thought that the reason he’d have to shut Full Disclosure down would be the actions of a member of the list and not a vendor.
“I never imagined that request might come from a researcher within the ‘community’ itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done,” Cartwright wrote in his message.
“I’m not willing to fight this fight any longer. It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.”
Full Disclosure appeared on the scene at a time when many vendors were not paying a whole lot of attention to security and security researchers who found flaws in their products. Posting full details of a new bug for the world to see on the mailing list was one of the few methods researchers had to get vendors to pay attention and fix their software. Now, most major vendors have formal security response processes and deal directly with researchers on a regular basis, and some have lucrative bug bounty programs to reward them for their work.
And, for researchers who would rather go another route, they can simply post a link on Twitter or write a blog post and get the word out more quickly than sending a message to a mailing list.
“Most people I know unsubscribed from Full Disclosure a long time ago. The signal-to-noise ratio is very low, and these days vulnerability researchers have no need for traditional mailing lists to publish their findings. We have blogs and Twitter, not to mention hundreds of security conferences. I think many will be nostalgic about the early days of Full Disclosure, but closing the list will have no noticeable impact on the industry or our ability to share information,” said Chris Eng, VP of security research at Veracode.
The end of Full Disclosure puts a period at the end of that chapter in the security industry.
“I’m suspending service indefinitely. Thanks for playing,” Cartwright wrote.
Image from Flickr photos of Rianna_reo.